Sophos Firewall: How to configure IPSec VPN Client to site with users synced from AD

1.The purpose of the article

In this article, techbast will show you how to configure IPSec client to site so that users can access the system remotely with accounts synced from AD.

2.Diagram

Details:

  • The Sophos firewall device was connected to the internet through port 2 with WAN IP 192.168.2.103.
  • The LAN area of the Sophos Firewall device is configured on port 1 with IP 10.145.41.1/24 and allocates network class 10.145.41.0/24 by DHCP.
  • In the LAN layer, there is also an AD Server with IP 10.145.41.11/24, on this server, an IT OU has been created, in the IT OU there is a Support group, in the Support group there are users as user1,user2,user3.
  • We will have a computer outside the internet to make the IPSec VPN Client to site connection.

3.Scenario

We will configure the IPSec VPN Client to site feature on the Sophos Firewall device, after configuration, we will use the user from AD to connect and when connecting it will receive an IP in the range 10.81.234.5- 10.81.234.55 and gain access to the LAN layer resources.

4.Step to take

  • AD sync
  • Import OU and Group
  • Create profile for LAN and VPN subnet
  • Configure IPSec VPN Client to site Profile
  • Open User Portal service in WAN port
  • Create policy
  • Result

5.Configuration

5.1.AD Sync

The first step we need to sync AD with Sophos Firewall.

To synchronize we go to CONFIGURE > Authentication > Server > click Add.

Configure with the following parameters:

  • Server type: select Active Directory
  • Server name*: LearningIT
  • Server IP/domain: 10.145.41.11
  • Connection security: select Plaintext
  • Port*: 389
  • NetBIOS domain: LEARNINGIT
  • ADS user name*: administrator
  • Password*: enter password of administartor account
  • Display name attribute: Leave blank
  • Email address attribute: mail
  • Domain name*: learningit.xyz
  • Search quries*: click Add and enter dc=learningit,dc=xyz and click OK.
  • Click Test connection to test the connection to the AD server.
  • Click Save.

5.2.Import OU and Group

After successful AD sync, we need to import OU and Group from AD.

Click the icon as shown in the image to perform the import.

Now the Import group wizard help window appears, click Start.

In Step 1: Provide base DN for group, select dc=learningit,dc=xyz from the drop-down menu.

In Step 2: Select AD groups to import will show the OUs and groups that AD currently has, here techbast will select the Support group located in the IT OU as shown.

Press the “>” button to continue.

Press the “>” button to continue.

Press the “>” button and OK to continue.

Click Close.

After importing, we can go to CONFIGURE > Authentication > Group to check if the group has been imported.

As a result, the Support group was imported.

Next for the firewall device to authenticate users from AD we need to go to CONFIGURE > Authentication > Service.

In the Firewall authentication methods section, we see that currently we only perform authentication for local accounts on the firewall.

We tick LearningIT this is the server we just synced and on the right side, we hold down the mouse on LearningIT and drag it above Local.

Click Apply.

5.3.Create profile for LAN and VPN subnet

To create, go to SYSTEM > Hosts and Servers > click Add.

Create a profile for the LAN subnet with the following parameters:

  • Name*: Local
  • IP version*: IPv4
  • Type*: Network
  • IP address*: 10.145.41.0 – Subnet: /24[255.255.255.0]
  • Click Save

Similarly, we create a profile for the IPSec VPN client to site subnet with the following parameters:

  • Name*: IPSec_VPN_Client_to_site
  • IP version*: IPv4
  • Type*: chọn IP range
  • IP address*: 10.81.234.5 – 10.81.234.55
  • Click Save

5.5.Configure IPSec Client to site Profile

To configure, go to CONFIGURE > IPsec [remote access] (on version 17, Sophos Connect client) > Click Add.

Configure with the following parameters:

  • IPsec remote access: check Enable
  • Interface*: select Port2 – 192.168.2.103
  • Authentication type*: select Preshared key
  • Preshare key*: Enter the password in the 2 boxes Pre Shared key and Confirm Preshare key.
  • Allowed users and groups: Select the Support group that has just been synced.
  • Name*: set name IPSec_VPN
  • Assign IP from*: Fill in the IP range that will be given to the user when connecting is 10.81.234.5 – 10.81.234.55
  • Permitted network resources [IPv4]*: select the newly created Local profile.
  • Click Apply.

After completing the configuration, we will export the connection to the computer by clicking the Export connection button.

After exporting we will get the IPSec_VPN.tar.gz file, we will extract this file and get the 1 KB IPSec_VPN.scx file, this is the file we will use to connect the VPN.

Send this scx file to a computer outside the internet to connect to the VPN.

5.6.Open User Portal service in WAN Port

In order for users to access the User Portal from outside the internet to download VPN software, we need to open this service on the WAN port of the Sophos device.

To open go to SYSTEM > Administration > Device Access.

In the WAN row, we select the User Portal service.

Click Apply.

5.7.Create Policy

When the user connects IPSec VPN client to site to the system, the user cannot connect to the LAN.

It is necessary to have the policy to allow traffic between the LAN and VPN zones.

To create a policy, go to PROTECT > Rules and Policies > click Add firewall rule > New firewall.

Create according to the following parameters:

  • Rule status: ON
  • Rule name*: IPSec_VPN_Client_to_site
  • Action: Accept
  • Log firewall traffic: check on box
  • Rule position: Top
  • Rule group: None
  • Source zones*: select LAN and VPN
  • Source networks and devices*: select 2 profile Local and IPSec_VPN_Client_to_site.
  • During scheduled time: select All the time.
  • Destination zones*: select LAN and VPN
  • Destination networks*: select 2 profile IPSec_VPN_Client_to_site and Local.
  • Service*: select Any.
  • Check on box Match know users.
  • In User or groups*: Select the Support group. (Optional means that when connecting to IPSec VPN, only users in this group can apply this policy).
  • Click Save.

5.8.Result

After we complete the configuration to use the computer outside the internet to make the IPSec VPN Client to site connection.

In the first step we need to access the user portal to download the software.

To access the user portal we access the link https://192.168.2.103.

After accessing, we enter the account and password to log in.

Techbast will use user1 synced from AD to log in.

After logging in we click on VPN and Download client for Windows to download Sophos Connect software.

Then install Sophos Connect client software as shown below.

Check I accept the Sophos End User License Agreement and acknowledge the Sophos Privacy Policy and click Install.

Click Yes.

Installation is in progress.

Check Launch Sophos Connect when installer closes and select Finish.

After successful installation, the application will appear in the System Tray at the bottom right of the screen.

Right-click Sophos Connect and click Import Connection.

Find the scx file you just sent and select.

In the Connections table, the IPSec_VPN connection we just added will appear and click Connect to connect.

The Authenticate user box appears, enter the user1 account and password and click Sign in.

A successful connection message appears.

Finally do a ping to the AD Server to check if the connection to the LAN is working.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.